Graphical Tools Help Security Experts Track Cyber-Attacks in Real Time

By Wayne Rash |
Posted 2013-06-17

Graphical Tools Help Security Experts Track Cyber-Attacks in Real Time

The image on the screen shows a cyber-attack in progress, but it doesn't look like the rows of reports that you usually expect to see as event data flows from intrusion prevention systems, next-generation firewalls and security reporting systems.

Instead, it looks like a fantastic image from something in the world of science fiction. Streams of data flow from the globe representing the Internet. Attack vectors are highlighted in red. You can watch the changes as the attacks progress.

As I had found when I attended a conference in Washington earlier in June, the world of cyber-security has changed. But how much it's changed became far clearer when I talked to some of the leading experts in the field. Perhaps what has changed the most is that new ways have emerged that allow the vast quantity of data to be monitored in real time. This means that you can see an attack as it's in the earliest stages—in time to take preventative action.

"We've managed in the past from rows and columns, then bar and pie charts," explained J.R. Reagan, Federal Chief Innovation Officer for Deloitte & Touche in Arlington, Va. But Reagan noted that this isn't very intuitive when it's happening at breakneck speed: "It's a post-digital problem."

Reagan said that due to the limitations in a person's ability to compare numbers and data in event logs, having other automated tools looking at an event as it happens means that the rapid understanding of the event is possible—especially in real time as things are actually happening.

"Maybe see the attack on a map, put it into more of a 3D spatial look, spider chart or 'bread crumbs' to see where it leads," Reagan suggested. An effective way to visualize such an attack, he said, is seeing random dots clustered around servers showing geography and even IP addresses, such as what's presented in Daedalus.

Graphical Tools Help Security Experts Track Cyber-Attacks in Real time

"You can see where bad transactions are coming from," Reagan said, "We've seen where you can combine the physical world and the network world and do a geospatial fly-in." Cyber-defense researchers are learning much from the casino gaming industry in Las Vegas, such as the need to put relationships to events and to the people behind the events, according to Reagan.

"You watch a person and who that person knows," he said, adding that by learning about those relationships, specialists can start to see the threats ramp up, and the forces being gathered before a cyber-attack begins. "Can see 'missions' against agencies," he said. "We can see the DDoS [distributed denial of service] buildup; see commands to the botnet start up." He said that by learning the relationships, cyber experts can find out what else a particular server has done and know what role it plays in the attack.

"The process uses predictive analytics," said Eric De Roos, senior director of Business Technology for MicroStrategy in Tyson's Corner, Va. "We can see events leading up to a DDoS attack. We'll get a flood of requests from a huge number of machines, and we can predict that this is going to happen."

De Roos said that when looking at events in real time, such as when observing a cyber-attack, it's important to be able to change metrics and views dynamically to reflect what's needed for a specific visualization at a particular time.

Unfortunately just because these advanced visualization tools are available doesn't mean they're being used. "We don't have a lot of visualization specialists in the security world," Reagan said. "Most security practitioners aren't steeped in analytics, but this is an analytics game. We have to get good at that to solve the problem."

What's worse is that the size of the problem is going to continue to grow. Cyber-criminals aren't letting grass grow under their feet either. Attacks continue to get more sophisticated, the attackers learn to employ their own advanced techniques, and the rewards for cyber-crime continue to rise.

Because the nature of attcks has changed, the need is already upon us to harness the analytic power that's available through the use of big data to fight off the attacks, to find out where the attackers are and to neutralize them. As one cyber-security specialist said to me recently, "We have to be right every time; they only have to be right once."

Fortunately, by using advanced analytics and visualization, cyber-defenders can help ensure that they're right every time.